The invention relates to a method for creating an authorized domain.
The invention further relates to a device, and a token for creating an authorized domain, and to a computer readable medium having stored thereon instructions for causing one or more processing units to execute the method according to the invention.
The invention further relates to a created authorized domain and to a digital rights management system for enforcing a created authorized domain.
In recent years, the amount of content protection systems is growing in a rapid pace. Some of these systems only protect the content against illegal copying, while others are also prohibiting the user to get access to the content. The first category is called Copy Protection (CP) systems. CP systems have traditionally been the main focus for consumer electronics (CE) devices, as this type of content protection is thought to be cheaply implemented and does not need bi-directional interaction with the content provider. Some examples are the Content Scrambling System (CSS), the protection system of DVD ROM discs and DTCP (a protection system for IEEE 1394 connections).
The second category is known under several names. In the broadcast world, systems of this category are generally known as conditional access (CA) systems, while in the Internet world they are generally known as digital rights management (digital rights management) systems.
A home network can be defined as a set of devices that are interconnected using some kind of network technology (e.g. Ethernet, IEEE 1394, BlueTooth, 802.11b, 802.11g, etc.). Although network technology allows the different devices to communicate, this is not enough to allow devices to interoperate. To be able to do this, devices need to be able to discover and address the functions present in the other devices in the network. Such interoperability is provided by home networking middleware. Examples of home networking middleware are Jini, HAVi, UPnP, AVC.
The concept of authorized domains aims at finding a solution to both serve the interests of the content owners (that want protection of their copyrights) and the content consumers (that want unrestricted use of the content). The basic principle is to have a controlled network environment in which content can be used relatively freely as long as it does not cross the border of the authorized domain. Typically, authorized domains are centered around the home environment, also referred to as home networks. Of course, other scenarios are also possible. A user could for example take a portable device for audio and/or video with a limited amount of content with him on a trip, and use it in his hotel room to access or download additional content stored on his personal audio and/or video system at home. Even though the portable device is outside the home network, it is a part of the user's authorized domain. In this way, an authorized domain is a system that allows access to content by devices in the domain, but not by any others.
For a more extensive introduction to the use of an authorized domain, etc., see S. A. F. A. van den Heuvel, W. Jonker, F. L. A. J. Kamperman, P. J. Lenoir, Secure Content Management in authorized domains, Philips Research, The Netherlands, IBC 2002 conference publication, pages-474, held at 12-16 Sep. 2002.
Various proposals exist that implement the concept of authorized domains to some extent.
One type of previous solutions include device based authorized domains. Examples of such systems are SmartRight (Thomson Multimedia), xCP, and NetDRM (Matshushita). A further example of a device based authorized domain is e.g. given in international patent application WO 03/098931 by the same applicant.
In typical device based authorized domains, the domain is formed by a specific set of devices and content. Only the specific set of devices of the domain is allowed to access, use, etc. the content of that domain. There is not made any distinction of the various users of the specific set of devices.
A drawback of device based authorized domain systems is that they typically do not provide the typical flexibility that a user wants or need, since users are restricted to a particular and limited set of devices. In this way, a user is not allowed to exercise the rights that the user has obtained anytime and anywhere he chooses. For example, if a user is visiting a friend's house he is not able to access his legally purchased content on the friend's devices as these devices would not typically be part of the particular and limited set of devices forming the domain comprising the user's content.
Another type of previous solutions is person based authorized domains where the domain is based on persons instead of devices, as was the case for device based authorized domains. An example of such a system is e.g. described in international patent application serial number IB2003/004538 by the same applicant, in which content is coupled to persons, which then are grouped into a domain.
In a typical person based authorized domain access to content bound to that authorized domain is allowed by only a specific and limited set of users, but e.g. using any compliant device. Person based authorized domains typically offer easier domain management compared to device based authorized domains.
However, person based systems require person identification which is not always convenient or preferred by users. Further, a visitor to your home may want to access your content. As he does not have a person id device for that domain, it is not possible for him to access content. It would be preferred if devices in the home belonging to the domain could enable access of domain content by the visitor.
Therefore, there is a need for a hybrid person and device based authorized domain having the individual advantages of each system. Such a hybrid person and device based authorized domain is proposed in European patent application serial number 03102281.7 by the same applicant. In that application, an authorized domain is proposed which combines two different approaches to define an authorized domain. The connecting part between the device and the person approach is a Domain Identifier. The devices are preferably grouped together via a domain devices certificate (DDC), while the persons preferably are separately grouped via a domain users certificate (DUC) and where content is directly or indirectly linked to a person.
However, this authorized domain has the disadvantage that when content is imported into the domain (an action typically done on a device), e.g. from a delivery digital rights management and/or CA system, it is not directly clear to which person the content has to be attributed. In other words, at the moment of import, the system needs additional information of whom it must link the content to.
Therefore, there is a need for a simple method of creating an authorized domain where the additional information required upon importing content is easily and/or directly obtainable. This is achieved with the authorized domain proposed in European patent application serial number 04101256 by the same applicant. In that application a method of generating an authorized domain is proposed wherein a domain identifier uniquely identifying the authorized domain is selected, wherein a user is bound to the domain identifier, wherein a content item is bound to the user, and wherein a device is bound to the user. Rather than binding each of the content items, devices and users to an authorized domain, only users are bound to an authorized domain, and content items and devices are bound in turn to users.
A drawback of the above prior art method is that the authorized domain is managed explicitly, typically by the end-user. This involves adding users, devices, and content items to the authorized domain, requiring considerable effort.
To address the above issues, in particular the managing of the authorized domain, it is an object of the invention to provide a method for creating an authorized domain that does not require explicit management of the authorized domain as such.